TRA Release History
The TRA Release History contains the historical changes published to the TRA, in reverse chronological order. Note: Older releases may contain content or links that have been modified or deleted.
| Section | Chapter | Revised Topic | Revision Description |
|---|---|---|---|
|
2025 R1 Authorized 31/Dec/25 |
|||
| N/A | N/A | Throughout |
Corrected links and references to archived or rescinded Executive Orders and OMB Memoranda Added content and links to new and prior Executive Orders and OMB Memoranda |
| N/A | N/A | Throughout | Updated selected links to CMS Risk Management Handbooks and new ISPG policy guidance |
| Foundation | CMS Strategic Guidance and Preferred Solutions | N/A | Updated for decommission of Enterprise Data Mesh and EUDC, introduction of IDR Enterprise Data Product (EDP) Updated guidance and policy regarding Microsoft 365 products, GitHub, and SAS-EBI. |
| Foundation | Artificial Intelligence Guidance | N/A | New guidance for the use of artificial intelligence at CMS |
| Foundation | CMS TRA Business Rules |
BR-F-5: Any System That Processes CMS Data ... ATO BR-F-8: Backup CMS Data |
Changed citation to FISMA Deprecation of the Cloud Protection Manager (CPM), recommended replacement by AWS Backups |
| Infrastructure Services | Disaster Recovery | Introduction, Capability Considerations, Business Rules |
Reflects deprecation of Disaster Recovery Tiers, emphasis on Business Impact Analysis |
| Infrastructure Services | Disaster Recovery Business Rules | Business rules withdrawn based per replacement of Risk Management Handbook Chapter 6: Contingency Planning by CMS Information System Contingency Plan (ISCP) Handbook | |
| Application Development | Principles |
Design for Caching Introducing New Software |
Updated and clarified caching guidance Expanded and clarified |
| Application Development | Digital Service Delivery and Human Centered Design | N/A | Added links to resources |
| Application Development | Business Rules and Recommended Practices | Artificial-Intelligence-Assisted Coding | New Recommended Practices regarding AI-Assisted and AI-Generated Coding |
| Application Development | Web-Based UI Services |
BR-UX-3: Provide Multilingual Capability BR-UI-12: Authentication |
Added references and note regarding Executive Order 14224, “Designating English as the Official Language of the United States” Updated language and references regarding anonymous access and password complexity |
| Application Development | Open Source | Updated CMS Open Source Software Policy and information about the SHARE IT Act of 2024. | |
| Data | Data Management |
Enterprise Data Business Rules Enterprise Data Mesh EUDC |
Business rules preserved from Enterprise Data Mesh Introduction of IDR Enterprise Data Product (EDP) Reflects decommission of Enterprise Data Mesh and EUDC, introduction of IDR Enterprise Data Product (EDP) |
| Data | Business Intelligence & Analytics | Business Intelligence Environment | New content about Microsoft Power BI, comment about deprecation of SAS-EBI |
|
2024 R3 Authorized 04/Oct/24 |
|||
| Infrastructure Services | Software as a Service | Updated Software as a Service per SaaS Governance policy changes | |
| Data Management | File Transfer | Updated Enterprise File Transfer (EFT) information | |
| Application Development | Business Rules |
BR-SA-10: Applications in CMS Data Centers May Not Use Some Native Email Protocols |
Updated SMTP Email Relay information |
| Foundation | N/A | Changed Nomenclature to “CMS Hybrid Cloud” Removed references to CMS batCAVE, discontinued after September 2024 |
|
|
2024 R2.1 Released 30 Apr 24 |
|||
| Foundation | N/A | TRB Engagement Guidance | Updated 10/25/2023 whitepaper and related content |
| References | N/A | TRA Business Rule Index and throughout | Added text of deprecated and withdrawn TRA Business Rules (BR) and Recommended Practices (RP) |
|
2024 R2 Authorized 23 May 24 |
|||
| Data | Data Management | Reorganized TRA sections related to data management resources | |
| Data | Data Storage | Data Storage Services | Reorganized TRA sections related to data storage |
| Data | Data Usage | Business Intelligence | Reorganized TRA sections related to consuming data, including Business Intelligence and Analytics |
| Foundation | CMS Strategic Guidance and Preferred Solutions | CMS Strategic Guidance and Preferred Solutions | Updated enterprise services, including collaboration services |
| Application Development | N/A | Principles | New content and recommended practice for Threat Modeling |
| References | TRA Glossary | TRA Glossary | Reorganize data-related terms |
| Application Development | N/A | Application Development Introduction | Consolidate the application development topics Concepts and Terminology, Principles |
|
2024 R1.1 Released 4 Apr 24 |
|||
| References | N/A | TRA Business Rule Index | Added an index of TRA Business Rules (BR) and Recommended Practices (RP) |
|
2024 R1 Authorized 6 Feb 24 |
|||
| Foundation | N/A | Introduced new content summarizing CMS recommendations or enterprise solutions. | |
| Data Management | N/A |
New content describes major CMS data services and data sources. New guidance emphasizes how CMS data must be kept within CMS authorization boundaries. |
|
| Application Development | Business Intelligence | Business Intelligence Environment | Updated Business Intelligence (BI) and Data Analytics resources, incorporating information from the Data Analytics & BI Tools Research Spotlight published May 12, 2023 as well as the EADG BI Tools pages. Some major CMS repositories feature close integration with BI and Analytics tools. |
|
Application Development Infrastructure Services |
Multiple | Multiple | Added callouts in relevant topics with CMS strategic guidance and recommendations or enterprise solutions. Future updates will add detailed guidance in other TRA topics. |
| Application Development | N/A |
Blockchain Technology Fast Data |
Removed Fast Data and Blockchain from the TRA (the 4/26/21 Research Spotlight remains). |
|
2023 R2 Authorized 6 Sep 23 |
|||
| Application Development | Business Rules and Recommended Practices | BR-SA-10: Applications in CMS Data Centers May Not Use Some Native Email Protocols |
Updated Business Rule to reflect new CMS email architecture based on move from HHS to CMS tenant. |
| Infrastructure Services | Mobile Device Management | Mobile Device Management | Significant updates have been made across this chapter to align with current HHS mobile device policy In addition, the several sections within this chapter have been consolidated into a single web page for easier viewing and navigation. |
| Foundation | Zero Trust | Zero Trust | A new section introduces the CISA Zero Trust Maturity Model and shows how CMS TRA Business Rules and Recommended Practices align with it. |
| Application Development | Business Rules and Recommended Practices |
BR-SA-1: Use CMS Shared Services BR-SA-2: Integrate with the CMS Identity Management Services BR-SQ-5: Manual Code and Design Reviews Are Mandatory |
Updated business rules to reflect TRB role as advising rather than approving, and removed references to legacy gate review process step. |
| Application Development | Open Source Business Rules | RP-OSS-2: Implement the Tools to Support the Community Around a CMS-Released OSS Project | Minor update to language regarding tools to support roadmap publication. |
|
2023 R1.1 Released 14 Feb 23 |
|||
| All | Multiple | Multiple |
Legacy Volume, Chapter, and Section references changed to hyperlinks to content titles Selected business rule references now link to the rules |
|
2023 R1 Authorized 14 Feb 23 |
|||
| Foundation | CMS TRA Business Rules | BR-F-3: The CMS TRA Defines a Zoned Architecture | Align zones with the Services Framework |
| Foundation | CMS TRA Business Rules | BR-F-4: Within a Data Center, Communication Must Flow Only between Adjacent Zones or within a Single Zone | Updated rule title to refer to 'processing environment' rather than data center to be cloud-inclusive. Updated text to clarify that zones refer to CMS TRA zones (vs. cloud availability zones). |
| Foundation | CMS TRA Business Rules | BR-F-5: Any System That Processes CMS Data Must Be Covered by a CMS ATO | Updated the business rule to remove reference to prior ATO guide and instead reference the current CMS ATO website. |
| Foundation | CMS TRA Business Rules | RP-F-21: Limit Data in the Application and Presentation Zones | Refer to Application Services and not just Application Zone to align with the Services Framework |
| Foundation | CMS Technical Review Board | CMS Technical Review Board | Updated to refer to TRB guidance rather than TRB approval, and TRB consult vs TRB review. |
| Foundation | CMS TRA Change Request Process | TRA Architecture Change Process | Updated the text and the diagram in this topic to align with current process and provide reference to the TRA websites. |
| Foundation | Services Framework |
CMS Services Framework Guidance CMS Services Framework Services Services Framework - Mediation Services Services Framework Summary |
Significant updates across the entire Services Framework section. Includes new content and clarification of services framework concepts and relationship to multi-zone architecture. Also includes re-organization of the content, so some prior topics are removed and content shifted into different topics |
| All | Multiple | Multiple | Across the entire TRA, changed from Security and Management 'band' to 'zone' to provide consistency across data center and cloud environments |
| Infrastructure Services | File Transfer | BR-EFT-11: CMS Data Files May Only Be Transferred to the Data Zone | Updated to reflect Services Framework and cloud deployments |
| Infrastructure Services | Data Storage Services | BR-AWS-2: The S3 Storage Must Be Attached / Accessible from Not More Than One Zone | Update Zonal attachment guidance based on Services Framework |
| Infrastructure Services | Data Storage Services | BR-AWS-3: Do Not Allow Cross-Zone Access to S3 | Include reference to required security challenges |
| Infrastructure Services | Cloud IaaS and PaaS Infrastructure | BR-CI-9: Applicability of Multi-Zone Architecture | Updated rationale to reflect TRB consult vs approval |
| Infrastructure Services | Software as a Service |
Software as a Service Introduction BR-SAAS-6: Perform Configuration Management |
Updated SaaS guidance based on the new CMS SaaS Governance program |
| Application Development | Application Development Context | Application Development Context | Updated services framework info and removed duplicative content and instead provided links to services framework and multi-zone topic |
| Application Development | Application Development | BR-SA-3: No Custom Application Code Is Permitted in the Presentation Zone | Updated to reflect Services Framework |
| Application Development | Application Development | BR-SA-4: Use TRB-Validated Approved Data Zone Mediation and Data Access Services to Access Data in the Data Zone | Updated to reflect Services Framework |
| Application Development | Application Development | BR-SA-9: Systems Must Define Metrics for IT Health Monitoring | Updated title and guidance of infrastructure monitoring business rule to reflect both cloud and data center environments. |
| Application Development | Web Services and Web APIs | BR-WS-9: Inter-Zone Web Services Must Transverse a Mediated Service | Updated to reflect Services Framework |
| Application Development | Web Services and Web APIs | BR-WS-12: Messages Must Pass through All Intermediate Zones | Updated to reflect Services Framework |
| Application Development | Containers and Microservices | BR-CA-1: The CMS Zonal Architecture Must Be Preserved | Updated to reflect Services Framework |
| Application Development | Containers and Microservices | BR-CA-3: The CMS TRA Zonal Hierarchy Will Be Enforced | Updated to reflect Services Framework |
| Application Development | Web Services and Web APIs | Service Deployment in the Multi-Zone Architecture | Updated to reflect Services Framework |
| Application Development | Input Validation | CMS TRA and CMS ARS Requirements | Updated to reflect Services Framework |
|
2022 R1.1 Released 1 Nov 22 |
|||
| Summary of Changes | N/A | Change Log of All Releases |
Need a historical account of all changes made to the TRA: Added the complete change log as its own section. It will be redacted for the external versions. It will not contain "in-flight" changes. |
| List of TRA References | N/A | List of TRA References | Across the entire section, updated references to current versions and provided updated active hyperlinks to references |
|
Services Framework Glossary |
N/A | Updated fonts to align with overall TRA styles | |
|
2022 R1 Authorized 14 Jul 22 |
|||
| All | Various | Footnotes |
Legacy footnotes embedded in text (hover) are showing obsolete or redundant information: Removed (hover) footnote text where applicable. (ongoing) |
| All | Various | Volume references | Removed references to TRA "Volumes" and point to appropriate online section where applicable. |
| All | Various | Security control name changes in ARS 5 (aligned to NIST SP 800-53 rev 5) |
The titles/names of over 40 controls were changed in ARS 5: Updated all TRA references to these controls to align with the new ARS 5 naming |
| All | Various | New security controls added to CMS baselines as part of the ARS 5 update (aligned to NIST SP 800-53 rev 5) |
21 new security controls were added to CMS baselines with ARS 5: Added TRA references to the new controls as appropriate in various business rules throughout the TRA content |
| All | Various | ARS 4 Privacy Catalog controls (AR, DI, DM control sets; NIST 800-53 rev 4 Appendix J) integrated into the main control families in ARS 5 |
Legacy privacy controls migrated into other ARS 5 controls: References to legacy AR, DI, and DM controls have been updated across the TRA based on the NIST recommended mapping to new controls |
| All | Various | Legacy CMS-specific controls (SC-CMS-1, SC-CMS-2) |
In ARS 5, legacy CMS controls have been withdrawn and mapped into other standard controls: References to the legacy CMS specific controls have been mapped to new controls based on guidance from the CMS ISPG policy team. |
| Network Services, Infrastructure Services | Business Rules |
BR-ACID-6: Minimize Retention of PII in Identity Life-Cycle Management BR-SAAS-4: Plan for Data Archival to Comply with Federal Records Management |
Updated to reflect ARS changes: Replaced withdrawn security control DM-2 with MP-6, SI-12, and SI-12(3) |
| Foundation | Various places throughout the TRA |
ARS version change after update to ARS 5 : Change to url security.cms.gov and https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars where applicable |
|
| Foundation | TRA Services Framework |
CMS TRA Services Framework Architecture, Guidance, Services CMS TRA Services Framework, Protecting Services, Framework Summary |
New chapters developed to provide guidance on services framework architecture intended to modernize multi-zone architecture. |
| Various | Various places throughout the TRA |
Various topic places through the TRA that contain related information about the TRA Services Framework. |
Integrate new services framework information into the existing TRA content. |
| Foundation | TRA Business Rules | BR-F-22: The CMS TRA Defines a Services Framework Architecture | Added new business rule for Services framework |
| Network Services | WAN Business Rules and Practices | BR-WAN-O-2: Access to the Public Internet Will Be Via the HHS TIC | Trusted Internet Connections (TIC) updated to new guidance for OMB-M-19-26 |
| All | All | HCD - General Website Layout |
Added working breadcrumb links at the top of all pages. Moved previous and next page icons to left bottom, out of the content and made them fixed. They no longer scroll with the content. |
| Application Development | Portal Integration Options | URL Pass-through and Native Portlet | Obsolete content: Added updates from portal team input. |
| Data Management | Data Lake Onboarding | Data Lake Onboarding | Obsolete content: Updated URLs |
| Data Management | Data Catalogs | Data Catalogs | Obsolete content: Updated URLs |
| Data Management | EUDC | User Data Catalogs | Obsolete content: Updated Chart |
| Application Development | Future Considerations | Standard SOAP Headers | Obsolete content: Removed content |
| Application Development | Principles | Digital Service Delivery and Human Centered Design | Obsolete content: Updated terminology from "User Centered Design" to "Human Centered Design" and removed broken link. |
| Application Development | Business Rules and Recommended Practices | BR-DBM-3: Systems must meet CMS Data and Database Management Standards | Obsolete content: CDA has been rebranded to Data Architecture (DA). Revised content to reflect new services |
| All | All | All | Added TRA version and date to header to display on all pages |
| Infrastructure Services | Network Virtualization | Future Considerations | Obsolete content: Removed future considerations for virtualization |
| Application Development | Fast Data | Fast Data | Obsolete content: Removed outdated content based of TRB feedback. |
| Foundation | Services Framework | Services Framework Architecture |
Some audience were unclear if the Services framework was mandatory: Clarified language to state the CMS Services Framework is an option and that multi-tier is still valid (content since removed). |
|
2021 R2.2Released 3 Mar 22 |
|||
| Infrastructure Services | DR Key Concepts and Definitions | Disaster |
Inclusive and sensitive terminology ("man-made"): Updated language to "human-caused" |
| Publishing Platform | N/A | N/A |
Security update to API connector: Applied new version of axios (v3.3) code. |
|
2021 R2.1 Released 10 Feb 22 |
|||
| Change Log | N/A | N/A |
Updated table and columns formatting Navigation - provided additional links to changed material |
| Reference | Acronyms | N/A | Formatting - Added borders to table |
| Reference | Glossary | N/A | Formatting- Added borders to table |
| All | All | Various |
Transform from pdf to online - duplicate figure and table numbers no longer applicable in web version: Removed table and figure numbers |
| All | All | N/A |
Transform from pdf to online: Sequenced all url names to match order of content |
| Foundation | Guiding Principles | Various |
Transform from pdf to online: Updated hard references of "Volumes" for online |
| Foundation | Guiding Principles | N/A |
Transform from pdf to online: Changed section number reference to link |
| Application Development | Concepts and Terminology | Various |
Transform from pdf to online: Updated hard references of "Volumes" for online |
| Foundation | CMS TRA Multi-Zone Architecture | Various |
Transform from pdf to online: Updated hard references of "Volumes" for online |
|
2021 R2 Authorized 6 Jan 22 |
|||
| Foundation | Guiding Principles | Common Platform Services | Removed explicit product reference |
| Foundation | CMS TRA Multi-Zone Architecture | Network Connectivity and Trust Boundaries |
Change wording to indicate that these networks operate at a high level of trust (vs explicitly trusted) Edited the text to remove the explicit trust reference, indicating that CMSNet and CMS data centers operate at an elevated trust level, but best practice would be to authenticate all network connections (aligns to future zero trust security model being pushed through the recent Executive Order on Cybersecurity). |
| Foundation | CMS TRA Business Rules | BR-F-6: Mainframes Must Be Dedicated to CMS |
Remove IBM reference, but can retain reference to logical partitions. Cite the requirement for an AAA (Authorization, Auditing, Authentication) tool. RACF can be generically referred to as an example of such. After review with TRB, the IBM references can remain. Added AA references and removed specific naming of RACF. |
| Infrastructure Services | Software as a Service |
CMS Performance Management Systems; BR-KSM-1: KSM Auditing Must Be Enabled and Connected to CMS Logging Infrastructure |
Added references that explains logging in detail. Addressed explicit references to specific products. |
| Infrastructure Services | Keys and Secrets Management | Enterprise Monitoring & Management Matrix | Addressed explicit references to specific products. |
| Application Development Services | Application Development |
Data and Database Management; BR-DBM-3: Systems Must Meet CMS Data and Database Management Standards |
Updated chapter references |
| Application Development Services | Application Development |
Packaging and Delivery; BR-PD-2: Software Target Packaging Must Be in Either the Operating System or Language Platform Native Form |
Addressed explicit references to specific products. |
| Application Development Services | Open Source Software |
Business Rules and Recommended Practices (Open Source); BR-OSS-12: CMS-Released OSS Code Must Include Automated Unit Tests, Build Scripts and Be Checked for Software Vulnerabilities |
Addressed explicit references to specific products. |
| Application Development Services | Portal Strategy | Current State of CMS Portals | After review with TRB, removed outdated Portals diagram. |
| Application Development Services | Business Intelligence | Data Warehouses | Removed obsolete references within list of available CMS data stores |
| Application Development Services | Business Intelligence | Business Intelligence Servers | Addressed explicit references to specific products. |
| Application Development Services | Business Intelligence | Hardware and Software Platforms | Addressed explicit references to specific products. |
| Application Development Services | Business Intelligence | Business Intelligence Servers | Addressed explicit references to specific products. |
| Application Development Services | Business Intelligence | Database Servers | Addressed explicit references to specific products. |
| Application Development Services | Business Intelligence | Integrate Operational Data Sources | Addressed explicit references to specific products. |
| Application Development Services | Business Intelligence | Data Integrity / Quality | Addressed explicit references to specific products. |
| Application Development Services | Business Intelligence | Metadata Integration | Addressed explicit references to specific products. |
| Application Development Services | Web Services Technology Overview | Monitoring Lambda Functions | Addressed explicit references to specific products. |
| Application Development Services | Web Services Technology Overview | BR-LD-2: Integrate with CMS Enterprise Security | Addressed explicit references to specific products. |
| Application Development Services | Future Considerations | Implications for CMS Development | Addressed explicit references to specific products. |
| Application Development Services | Glossary | Section Glossary: Enterprise User Administration (EUA) | Addressed explicit references to specific products. |
| Application Development Services | Business Intelligence | Web Servers | Addressed explicit references to specific products. |
| Application Development Services | Containers and Microservices | CMS Considerations and Recommendations for Using AWS Lambda | Removed text indicating AWS Lambda as not yet FedRamp approved |
| Data Management | Enterprise Data Environment Overview | 1.1.1 CMS Master Data Management | Removed the actual MDM API names and reworded to describe functionality |
| Data Management | Enterprise Data Environment Overview | 1.1 Data Lake Onboarding | Genericized description of associated S3 buckets |
| Data Management | Enterprise Data Environment Overview | 1.1 User Data Catalog Capabilities |
Diagram depicts various specific tool names. Added text to document to indicate a "sample" diagram. |
| Data Management | Enterprise Data Environment Overview | 2.5 Data Lake Onboarding | Added links to pages on EDL Confluence space for Contributor and Consumer onboarding instructions |
| Data Management | Enterprise Data Environment Overview | 2.6 Data Catalogs | EDL's user data catalog: changed references to user data catalog to EUDC |
| Data Management | Chapter 3 | 3.1 Authentication | EDL access and authentication: Added description for how to access the EUDC |
| Data Management | List of Acronyms | Introduced DA to acronym list; removed CDA | |
|
2021 R1.1 Released 1 Sep 21 |
|||
| Application Development | Common Engineering Support Services | all | Replaced section of missing content from conversion to web |
| Application Development | Common Engineering Support Services | all | Replaced missing content from conversion to web |
TRA 2025 Release 1 • General Distribution / Unclassified Information